Security

Today, six prominent information-security experts who took part in DEF CON's Voting Village in Las Vegas last month issued a report on vulnerabilities they had discovered in voting equipment and related computer systems. One vulnerability they discovered—in a high-speed vote-tabulating system used to count votes for entire counties in 23 states—could allow an attacker to remotely hijack the system over a network and alter the vote count, changing results for large blocks of voters.

The Fancy Bear hacking group has plenty of tools at its disposal, as evidenced by its attacks against the Democratic National Committee, the Pyeongchang Olympics, and plenty more. But cybersecurity firm ESET appears to have caught the elite Russian team using a technique so advanced, it hadn’t ever been seen in the wild until now.

Women’s fashion retailer SHEIN has suffered a major security breach that has exposed the personal information and passwords of over six million customers.

In a press statement, SHEIN reveals that it discovered on August 22 2018 that malicious hackers had compromised its computer network, and that between June and early August 2018 customer email addresses and “encrypted password credentials” had been stolen.

For years the secretive market for zero-day exploits — unpatched bugs in software or hardware — thrived in the dark corners of the internet. But vulnerability sales have been all but driven off the dark web, according to experts, and now operate in the open.

The cyber intelligence firm FireEye has only recorded three zero-day sellers on the dark web so far this year, Jared Semrau, a vulnerability and exploitation manager at the firm, told Fifth Domain. That compares to the peak of at least 32 zero-day sellers in that marketplace in 2013, Semrau said.

Once an attacker has established access and pivoted around to the point of gathering the necessary data, they will work on exfiltration of that data. Not all malware will reach this stage.

Ransomware, for example, usually has no interest in exfiltrating data. As with the Collection tactic, there’s little guidance on how to mitigate an attacker exfiltrating data from the enterprise.

The most secure form of voting technology remains the familiar, durable innovation known as paper, according to a report authored by a group of election experts, including two prominent scholars from MIT.

The report, issued by the National Academies of Science, Engineering, and Medicine, is a response to the emerging threat of hackers targeting computerized voting systems, and it comes as concerns continue to be aired over the security of the U.S. midterm elections of 2018.

If you want to stop an attacker, you have to think like an attacker.

That's the general mindset of someone on the red team, a group of people within an organization responsible for, well, attacking it. Their goal is to act like the adversary and figure out different ways to break into a company so it can strengthen its defenses.

Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.

Just hours after launching, the brand new Nintendo Switch Online service has already been hacked. One of the key features of Nintendo Switch Online is the ever-expanding library of classic NES games which you can play online with your friends. Unfortunately, the launch lineup is rather paltry, with a couple of highlights and a bunch of filler. And so it probably won’t surprise you to learn that by Tuesday night, the NES library had been hacked.

The 'Unemitted Transfer Event Issue', 'Unemitted Approval Event Issue', 'Fake Recharge Vulnerability' and 'Writing Errors of Constructed Function' are uniformly classified as 'Ethereum's smart contract specification problems' in 'Knownsec Ethereum Contract Audit Checklist' which sorted out by the Knownsec 404 Blockchain Security Research Team.